Symantec Revokes Wrongly Issued Certificates

Symantec has revoked numerous wrongly issued certificates, including for domains such as example.com and test.com. This is not the first time the security firm’s certificate issuance practices have come under scrutiny.

The misissued certificates were spotted via the Certificate Transparency (CT) system by Andrew Ayer, founder of SSLMate. The expert discovered several certificates for example.com, which he confirmed were not authorized by the domain’s owner. He also identified certificates for domains such as test.com, test1.com, test2.com, and others containing the string “test.”

Ayer found more than 100 wrongly issued certificates attributed to Symantec and its subsidiaries GeoTrust and Thawte. The problematic certificates have several entries with the value “test,” which suggests they have been issued for testing purposes.

Even if the certs were only for testing, if a system allows employees to bypass authorization, it will allow attackers to bypass it too.

— Andrew Ayer (@__agwa) January 19, 2017

Steven Medin, PKI policy manager at Symantec, said the certificates had been issued by one of the company’s WebTrust audited partners. Medin said this partner’s privileges have been reduced to restrict further issuance and the reported certificates have all been revoked.

“We have restricted this partner’s issuance privileges while we continue to review this matter. While most of the listed certificates were already revoked by the partner, Symantec revoked all remaining valid certificates within the 24 hour CA/B Forum guideline. Our investigation is on-going,” Symantec told SecurityWeek.

Ayer has advised domain owners to monitor CT logs to determine if unauthorized certificates have been issued for their websites. Since this is not the first time Symantec has misissued certificates, the expert has also recommended excluding the company via CAA records, which allow users to specify which CA can issue certificates for their domain.

In October 2015, Google asked Symantec to improve its certificate issuance practices after Thawte was caught releasing certificates for google.com domains. The company claimed to have issued the certificates for testing purposes, but it ultimately decided to terminate some employees after completing its investigation.

Symantec’s certificate business also made the news in February 2016, when the company asked browser vendors to allow it to issue nine new SSL certificates signed with SHA-1 for Worldpay after the payment processor failed to upgrade some devices before the December 31, 2015, deadline.

*Updated with statement from Symantec

Related Reading: Google to Remove Symantec Root Certificate From Products

Related Reading: Google Adds Certificate Transparency Log for Untrusted CAs

Related Reading: Google to Distrust WoSign, StartCom Certificates